Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

DKIM: CNAME records not advertising

0

Hello,

I am having an issue with the DKIM CNAME records not advertising through Route53, our other CNAME records work fine.

selector1._domainkey.vetmedux.com will not resolve, but when i run the test it shows it works from within Route53

Is there something I am missing? Should be rather simple to get it going.

Enter image description here

  • Gary Mclean EXPERTE
    vor 10 Monaten

    Can you share screen shot of cname record?

  • Jtech
    vor 10 Monaten

    Yes, just did.

  • Gary Mclean EXPERTE
    vor 10 Monaten

    Thanks..Answered below

Themen
Vernetzung & Bereitstellung von Inhalten
Tags
Amazon Route 53Domain Name System (DNS)
Sprache
English
Jtech
gefragt vor 10 Monaten359 Aufrufe
2 Antworten
0

Is this in a private or public zone? If you are running Split Horizon, make sure its in the public zone as internally you could resolve from your VPC if it was created in a Private zone

profile picture
EXPERTE
Gary Mclean
beantwortet vor 10 Monaten
  • Jtech
    vor 10 Monaten

    Public zone with simple routing

  • Gary Mclean EXPERTE
    vor 10 Monaten

    Now i am stumped

0

TL;DR answer: I think you had it right to begin with.

selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com is a TXT record, and as such doesn't have an IP address to resolve to, so you can't nslookup it in the normal way. You can get its value by running nslookup -q=txt:

$ nslookup selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com
Server:  dns.google
Address:  8.8.8.8

Name:    selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com


$ nslookup -q=txt selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com   text =

        "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA08RF3VL/RhdOWjNFU0/A+aKMUX0N5fMkE8ZXFFOgIRuYTZ4qGOXOlz7YmNNyVGOEoDYqJeqzQtJ8FHM3J9eYRApS4In0IduS38L/8pCKcfmDwXgMXzfR0k+cIguSWYA+ChCUOJMPHmRUmolaME8aAvVObYlWPDGHpcdfjAqsyPCY5sGrkYn8st5dhYP2I+IVn"
        "WRcr9V4XEFN751dGh9l7QmRcLyoMB2NGfehBV2OdaXxI28epzQOZWDyg3xxJ9QCXSYtrRN3N0y8vfDtut/NCjZA15JqlL+DFcL3zZQR3JecBjb7P2pyTvoEya2i0b7QKG3WWcHXrWTALkSc8T+SqQIDAQAB;"

$

It is completely legal to have a CNAME whose value is the record name of a TXT record, but you're just going to see the same behaviour.

In a domain that I own I've setup a simple TXT record called txtrecord, and then a CNAME pointing to it called cname2txt:

$ nslookup txtrecord.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Name:    txtrecord.[mydomain].net


$ nslookup cname2txt.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Non-authoritative answer:
Name:    cname2txt.[mydomain].net


$ nslookup -q=txt txtrecord.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
txtrecord.[mydomain].net     text =

        "thisisatextrecord"

$ nslookup -q=txt cname2txt.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
cname2txt.[mydomain].net     canonical name = txtrecord.[mydomain].net
txtrecord.[mydomain].net     text =

        "thisisatextrecord"

$

And just for completeness, I've setup record in my domain that mimics what you're trying to do, and it works as described above:

$ nslookup selector1._domainkey.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Non-authoritative answer:
Name:    selector1._domainkey.[mydomain].net


$ nslookup -q=txt selector1._domainkey.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
selector1._domainkey.[mydomain].net  canonical name = selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com
selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com   text =

        "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA08RF3VL/RhdOWjNFU0/A+aKMUX0N5fMkE8ZXFFOgIRuYTZ4qGOXOlz7YmNNyVGOEoDYqJeqzQtJ8FHM3J9eYRApS4In0IduS38L/8pCKcfmDwXgMXzfR0k+cIguSWYA+ChCUOJMPHmRUmolaME8aAvVObYlWPDGHpcdfjAqsyPCY5sGrkYn8st5dhYP2I+IVn"
        "WRcr9V4XEFN751dGh9l7QmRcLyoMB2NGfehBV2OdaXxI28epzQOZWDyg3xxJ9QCXSYtrRN3N0y8vfDtut/NCjZA15JqlL+DFcL3zZQR3JecBjb7P2pyTvoEya2i0b7QKG3WWcHXrWTALkSc8T+SqQIDAQAB;"

I should also include that, rather than all this fiddling about with nslookup flags, if you dig the record you can see the correct value is set from the start:

$ dig selector1._domainkey.[mydomain].net

; <<>> DiG 9.16.40-RH <<>> selector1._domainkey.[mydomain].net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27574
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;selector1._domainkey.[mydomain].net.        IN      A

;; ANSWER SECTION:
selector1._domainkey.[mydomain].net. 300 IN  CNAME   selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com.

;; AUTHORITY SECTION:
onmicrosoft.com.        28      IN      SOA     ns1-208.azure-dns.com. azuredns-hostmaster.microsoft.com. 1 3600 300 2419200 300

;; Query time: 187 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Jul 22 15:11:32 AEST 2023
;; MSG SIZE  rcvd: 226

$

If you don't have the dig command available to you then I can recommend the Google Toolbox interface at https://toolbox.googleapps.com/apps/dig/

profile picture
EXPERTE
Steve_M
beantwortet vor 10 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt